Hi, I want to limit VM traffic to a specific MAC address, ie VMs cannot traffic each other other then a specific gateway. I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml located in /etc/libvirt/nwfilter/: <filter name='isolatedprivatevlan-vdsm' chain='root'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter>

VM1 domian xml portion: <interface type="bridge"> <mac address="00:1a:4a:16:01:53"/> <model type="virtio"/> <source bridge="red"/> <filterref filter="isolatedprivatevlan-vdsm"> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> </filterref> </interface> VM2 domian xml portion: <interface type="bridge"> <mac address="00:1a:4a:16:01:52"/> <model type="virtio"/> <source bridge="red"/> <filterref filter="isolatedprivatevlan-vdsm"> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> </filterref> </interface> in each VM (Fedora 15 LiveCD) I assign ip: # ifconfig eth0 10.35.1.240 netmask 255.255.254.0 # route add default gw 10.35.1.1 vm2: # ifconfig eth0 10.35.1.241 netmask 255.255.254.0 # route add default gw 10.35.1.1 but the filter is not working, I can ping the VMs from each other, Am I missing something?

Thanks, Shahar Havivi. -- libvir-list mailing list libvir-list(a)redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

On 08.11.11 16:34, Stefan Berger wrote: > On 11/07/2011 04:25 AM, Shahar Havivi wrote: >> Hi, >> >> I want to limit VM traffic to a specific MAC address, ie VMs cannot >> traffic each other other then a specific gateway. >> >> I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml >> located in /etc/libvirt/nwfilter/: >> >> <filter name='isolatedprivatevlan-vdsm' chain='root'> >> <filterref filter='clean-traffic'/> >> <rule action='drop' direction='out' priority='500'> >> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >> </rule> >> </filter> >> > Try this one -- it works in 'my' subnet: > > <filter name='isolatedprivatevlan-vdsm' chain='ipv4'> > <filterref filter='clean-traffic'/> > <rule action='drop' direction='out' priority='10'> > <mac match='no' dstmacaddr='$GATEWAY_MAC'/> > </rule> > </filter> Thanks, Now it is blocking the traffic but I can't get traffic to the gateway as well...

> >> VM1 domian xml portion: >> <interface type="bridge"> >> <mac address="00:1a:4a:16:01:53"/> >> <model type="virtio"/> >> <source bridge="red"/> >> <filterref filter="isolatedprivatevlan-vdsm"> >> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> >> </filterref> >> </interface> >> >> >> VM2 domian xml portion: >> <interface type="bridge"> >> <mac address="00:1a:4a:16:01:52"/> >> <model type="virtio"/> >> <source bridge="red"/> >> <filterref filter="isolatedprivatevlan-vdsm"> >> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> >> </filterref> >> </interface> >> >> >> in each VM (Fedora 15 LiveCD) I assign ip: >> # ifconfig eth0 10.35.1.240 netmask 255.255.254.0 >> # route add default gw 10.35.1.1 >> >> vm2: >> # ifconfig eth0 10.35.1.241 netmask 255.255.254.0 >> # route add default gw 10.35.1.1 >> >> but the filter is not working, >> I can ping the VMs from each other, >> >> Am I missing something? > Try the above filter that puts the check into a different 'chain' > into different order. I'll be introducing a 'mac' chain where this > can then be put into rather than into the 'ipv4' chain. > The challenging part about the filtering rules is their order and > the XML can unfortunately not abstract this 'away'. > > Stefan > > >> Thanks, >> Shahar Havivi. >> >> -- >> libvir-list mailing list >> libvir-list(a)redhat.com >> https://www.redhat.com/mailman/listinfo/libvir-list >>

On 09.11.11 06:44, Stefan Berger wrote: > On 11/09/2011 04:01 AM, Shahar Havivi wrote: >> On 08.11.11 16:34, Stefan Berger wrote: >>> On 11/07/2011 04:25 AM, Shahar Havivi wrote: >>>> Hi, >>>> >>>> I want to limit VM traffic to a specific MAC address, ie VMs cannot >>>> traffic each other other then a specific gateway. >>>> >>>> I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml >>>> located in /etc/libvirt/nwfilter/: >>>> >>>> <filter name='isolatedprivatevlan-vdsm' chain='root'> >>>> <filterref filter='clean-traffic'/> >>>> <rule action='drop' direction='out' priority='500'> >>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >>>> </rule> >>>> </filter> >>>> >>> Try this one -- it works in 'my' subnet: >>> >>> <filter name='isolatedprivatevlan-vdsm' chain='ipv4'> >>> <filterref filter='clean-traffic'/> >>> <rule action='drop' direction='out' priority='10'> >>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >>> </rule> >>> </filter> >> Thanks, >> Now it is blocking the traffic but I can't get traffic to the gateway as >> well... > That's odd. Can you ping the gateway from the VM? Is it typically > ping-able? Are you sure you specified the correct MAC addresses -- > check with 'arp -n' on a host in the same subnet and see what it > shows for the gateway (ping it if you don't see an entry). > > Stefan It's working only when I remove the line <filterref filter='clean-traffic'/> from the filter...

On 09.11.11 09:20, Stefan Berger wrote: > On 11/09/2011 07:44 AM, Shahar Havivi wrote: >> On 09.11.11 06:44, Stefan Berger wrote: >>> On 11/09/2011 04:01 AM, Shahar Havivi wrote: >>>> On 08.11.11 16:34, Stefan Berger wrote: >>>>> On 11/07/2011 04:25 AM, Shahar Havivi wrote: >>>>>> Hi, >>>>>> >>>>>> I want to limit VM traffic to a specific MAC address, ie VMs cannot >>>>>> traffic each other other then a specific gateway. >>>>>> >>>>>> I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml >>>>>> located in /etc/libvirt/nwfilter/: >>>>>> >>>>>> <filter name='isolatedprivatevlan-vdsm' chain='root'> >>>>>> <filterref filter='clean-traffic'/> >>>>>> <rule action='drop' direction='out' priority='500'> >>>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >>>>>> </rule> >>>>>> </filter> >>>>>> >>>>> Try this one -- it works in 'my' subnet: >>>>> >>>>> <filter name='isolatedprivatevlan-vdsm' chain='ipv4'> >>>>> <filterref filter='clean-traffic'/> >>>>> <rule action='drop' direction='out' priority='10'> >>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >>>>> </rule> >>>>> </filter> >>>> Thanks, >>>> Now it is blocking the traffic but I can't get traffic to the gateway as >>>> well... >>> That's odd. Can you ping the gateway from the VM? Is it typically >>> ping-able? Are you sure you specified the correct MAC addresses -- >>> check with 'arp -n' on a host in the same subnet and see what it >>> shows for the gateway (ping it if you don't see an entry). >>> >>> Stefan >> It's working only when I remove the line >> <filterref filter='clean-traffic'/> > >from the filter... > While you ping the gateway, can you re-add the above line to the filter? > > Stefan its working, even when stopping the ping and re-pinging the gateway, but it stop working after I stop and started the VM.

On 09.11.11 10:49, Stefan Berger wrote: > On 11/09/2011 09:38 AM, Shahar Havivi wrote: > >On 09.11.11 09:20, Stefan Berger wrote: > >>On 11/09/2011 07:44 AM, Shahar Havivi wrote: > >>>On 09.11.11 06:44, Stefan Berger wrote: > >>>>On 11/09/2011 04:01 AM, Shahar Havivi wrote: > >>>>>On 08.11.11 16:34, Stefan Berger wrote: > >>>>>>On 11/07/2011 04:25 AM, Shahar Havivi wrote: > >>>>>>>Hi, > >>>>>>> > >>>>>>>I want to limit VM traffic to a specific MAC address, ie VMs cannot > >>>>>>>traffic each other other then a specific gateway. > >>>>>>> > >>>>>>>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml > >>>>>>>located in /etc/libvirt/nwfilter/: > >>>>>>> > >>>>>>><filter name='isolatedprivatevlan-vdsm' chain='root'> > >>>>>>> <filterref filter='clean-traffic'/> > >>>>>>> <rule action='drop' direction='out' priority='500'> > >>>>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> > >>>>>>> </rule> > >>>>>>></filter> > >>>>>>> > >>>>>>Try this one -- it works in 'my' subnet: > >>>>>> > >>>>>><filter name='isolatedprivatevlan-vdsm' chain='ipv4'> > >>>>>> <filterref filter='clean-traffic'/> > >>>>>> <rule action='drop' direction='out' priority='10'> > >>>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> > >>>>>> </rule> > >>>>>></filter> > >>>>>Thanks, > >>>>>Now it is blocking the traffic but I can't get traffic to the gateway as > >>>>>well... > >>>>That's odd. Can you ping the gateway from the VM? Is it typically > >>>>ping-able? Are you sure you specified the correct MAC addresses -- > >>>>check with 'arp -n' on a host in the same subnet and see what it > >>>>shows for the gateway (ping it if you don't see an entry). > >>>> > >>>> Stefan > >>>It's working only when I remove the line > >>> <filterref filter='clean-traffic'/> > >>>from the filter... > >>While you ping the gateway, can you re-add the above line to the filter? > >> > >> Stefan > >its working, even when stopping the ping and re-pinging the gateway, > >but it stop working after I stop and started the VM. > > > How does the VM get its IP address, static or DHCP ? If DHCP, could > you try a static IP address? > > In case it doesn't work, what does 'ebtables -t nat -L' show and > which IP address is assigned to the VM's interface? > > Stefan static ip, the ebtables output show ip 0.0.0.0 for the VM mac address: Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -s 0:1a:4a:16:1:52 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT -j DROP Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT -j DROP How can I set the IP in the case?

> -- libvir-list mailing list libvir-list(a)redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

On 11/10/2011 05:21 AM, Shahar Havivi wrote: >On 10.11.11 11:30, Shahar Havivi wrote: >>On 09.11.11 10:49, Stefan Berger wrote: >>>On 11/09/2011 09:38 AM, Shahar Havivi wrote: >>>>On 09.11.11 09:20, Stefan Berger wrote: >>>>>On 11/09/2011 07:44 AM, Shahar Havivi wrote: >>>>>>On 09.11.11 06:44, Stefan Berger wrote: >>>>>>>On 11/09/2011 04:01 AM, Shahar Havivi wrote: >>>>>>>>On 08.11.11 16:34, Stefan Berger wrote: >>>>>>>>>On 11/07/2011 04:25 AM, Shahar Havivi wrote: >>>>>>>>>>Hi, >>>>>>>>>> >>>>>>>>>>I want to limit VM traffic to a specific MAC address, ie VMs cannot >>>>>>>>>>traffic each other other then a specific gateway. >>>>>>>>>> >>>>>>>>>>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml >>>>>>>>>>located in /etc/libvirt/nwfilter/: >>>>>>>>>> >>>>>>>>>><filter name='isolatedprivatevlan-vdsm' chain='root'> >>>>>>>>>> <filterref filter='clean-traffic'/> >>>>>>>>>> <rule action='drop' direction='out' priority='500'> >>>>>>>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >>>>>>>>>> </rule> >>>>>>>>>></filter> >>>>>>>>>> >>>>>>>>>Try this one -- it works in 'my' subnet: >>>>>>>>> >>>>>>>>><filter name='isolatedprivatevlan-vdsm' chain='ipv4'> >>>>>>>>> <filterref filter='clean-traffic'/> >>>>>>>>> <rule action='drop' direction='out' priority='10'> >>>>>>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >>>>>>>>> </rule> >>>>>>>>></filter> >>>>>>>>Thanks, >>>>>>>>Now it is blocking the traffic but I can't get traffic to the gateway as >>>>>>>>well... >>>>>>>That's odd. Can you ping the gateway from the VM? Is it typically >>>>>>>ping-able? Are you sure you specified the correct MAC addresses -- >>>>>>>check with 'arp -n' on a host in the same subnet and see what it >>>>>>>shows for the gateway (ping it if you don't see an entry). >>>>>>> >>>>>>> Stefan >>>>>>It's working only when I remove the line >>>>>> <filterref filter='clean-traffic'/> >>>>>>from the filter... >>>>>While you ping the gateway, can you re-add the above line to the filter? >>>>> >>>>> Stefan >>>>its working, even when stopping the ping and re-pinging the gateway, >>>>but it stop working after I stop and started the VM. >>>> >>>How does the VM get its IP address, static or DHCP ? If DHCP, could >>>you try a static IP address? >>> >>>In case it doesn't work, what does 'ebtables -t nat -L' show and >>>which IP address is assigned to the VM's interface? >>> >>> Stefan >>static ip, the ebtables output show ip 0.0.0.0 for the VM mac address: >> >>Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT >>-p 0x8035 -s 0:1a:4a:16:1:52 -d Broadcast --arp-op Request_Reverse >>--arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 >>--arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT >>-j DROP >> >>Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT >>-p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 >>--arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst >>0:1a:4a:16:1:52 -j ACCEPT >>-j DROP >> >> >>How can I set the IP in the case? >Ok, >its working when I set the IP in the filter: ><filterref filter='clean-traffic'> > <parameter name='IP' value='10.35.16.50'/> ></filterref> > >I guess its the only solution...? The IP address in the parameter XML node has to match the one assigned to the interface inside the VM. If they don't match nothing works. If you leave out the line '<parameter name=.../>' then this will start libvirt's IP address learning/detection that will lock your VM into the first IP address it detects that the VM is using on a particular interface. This should also work. Stefan

>>-- >>libvir-list mailing list &gt;&gt;libvir-list(a)redhat.com >>https://www.redhat.com/mailman/listinfo/libvir-list